Microsoft Corp. disclosed last week that an "extremely serious" flaw in an extension included in Windows 2000 could allow a malicious hacker to gain complete control of any computer running the Internet Information Services (IIS) 5.0 software built into that operating system.
The software vendor "strongly" urged all IIS 5.0 users to install a patch, available online (see chart), that's supposed to fix the problem. There are no reports that the flaw has been exploited yet.
Scott Culp, a program manager at Microsoft's security response center, said it's "imperative" that anyone running IIS 5.0 apply the patch. The hole is especially serious because it could enable an attacker to run code that would give him complete control of Windows 2000 on a vulnerable server.
"There is literally nothing [an attacker] could not do," Culp said.
Microsoft said the vulnerability is caused by an unchecked buffer in an extension that provides native support for Internet printing capabilities within Windows 2000.
Culp said the hole will affect only those users who have explicitly turned on IIS 5.0 and the Internet Printing Protocol feature offered as part of Windows 2000. The problematic extension that implements the protocol is installed by default on all Windows 2000-based servers, but it can be accessed only via IIS 5.0.
The hole was first reported to Microsoft 10 days ago by eEye Digital Security, an Aliso Viejo, Calif.-based security software vendor that has posted its own advisory about the vulnerability.
According to that advisory, a filter on Microsoft's Internet Server application programming interface extension that controls the Internet printing commands "does not do proper 'bounds checking' on user-inputted buffers." That makes the server susceptible to buffer overflow attacks that could give hackers the keys they need to gain system-level access to servers.
Once that's accomplished, Maiffret said, an attacker could view all of the files on a penetrated server and execute any command.
While the hole itself is somewhat obscure, security analysts said ways to exploit it are sure to be developed and shared among would-be attackers. Marc Maiffret, chief hacking officer at eEye, said it is posting "a proof-of-concept exploit that can't be used maliciously."
As a result, systems administrators need to act quickly to ensure that their corporate servers don't get attacked, Maiffret said.
"As soon as somebody learns about [the hole], they need to install the patch," he advised. "They shouldn't wait an hour or a day."
Microsoft has posted 18 security bulletins for IIS 5.0 since January of last year.
Costello is a reporter for the IDG News Service.